为什么 kubernetes 不直接与容器一起工作
Why kubernetes does not work directly with containers
请有人向我解释(或直接提供详细资源)为什么 kubernetes 使用此包装器 (pod) 来处理容器。我遇到的每个资源都只引用相同的词——“它是 k8s 中的最小单位”。我正在寻找的是从工程角度来看的原因。我确实了解它为内部容器的存储和网络提供命名空间,但最佳做法是无论如何都将单个容器保留在 pod 中。
在熟悉 k8s 之前,我已经使用了很多 docker-compose,并且很难理解围绕非常简单的实体、容器需要这个额外的层(包装器)。
做出这个决定的原因很简单,因为一个 Pod 可能包含多个容器,做不同的事情。
首先,一个pod可能有一个init-container,负责做一些启动操作,保证主容器/多个容器正常工作。我可以让一个 init-container 加载一些配置并为主应用程序做准备,或者做一些基本的操作,比如恢复备份或类似的东西。
我基本上可以在启动主应用程序之前向 exec 注入一系列操作,而无需再次构建主应用程序容器映像。
其次,即使大多数应用程序只为 Pod 使用一个容器也没有问题,但在某些情况下,同一 Pod 中的多个容器可能会有用。
一个例子可能是让主应用程序 运行,然后一个边车容器在主应用程序前面做一个代理,可能负责检查 JWT 令牌..或者另一个例子可以是从主应用程序或类似事物中提取指标的辅助应用程序。
最后,让我引用 Kubernetes 文档 (https://kubernetes.io/docs/tasks/access-application-cluster/communicate-containers-same-pod-shared-volume/)
The primary reason that Pods can have multiple containers is to support helper applications that assist a primary application. Typical examples of helper applications are data pullers, data pushers, and proxies. Helper and primary applications often need to communicate with each other. Typically this is done through a shared filesystem, as shown in this exercise, or through the loopback network interface, localhost. An example of this pattern is a web server along with a helper program that polls a Git repository for new updates.
更新
就像你说的,init container.. 或同一个 Pod 中的多个容器不是必须的,我列出的所有功能也可以通过其他方式获得,例如 en entrypoints 或两个单独的 Pods 相互通信,而不是同一个 Pod 中的两个容器。
使用这些功能有几个好处,让我再次引用 Kubernetes 文档 (https://kubernetes.io/docs/concepts/workloads/pods/init-containers/)
Because init containers have separate images from app containers, they have some advantages for start-up related code:
Init containers can contain utilities or custom code for setup that
are not present in an app image. For example, there is no need to make
an image FROM another image just to use a tool like sed, awk, python,
or dig during setup.
The application image builder and deployer roles
can work independently without the need to jointly build a single app
image.
Init containers can run with a different view of the filesystem
than app containers in the same Pod. Consequently, they can be given
access to Secrets that app containers cannot access.
Because init
containers run to completion before any app containers start, init
containers offer a mechanism to block or delay app container startup
until a set of preconditions are met. Once preconditions are met, all
of the app containers in a Pod can start in parallel.
Init containers
can securely run utilities or custom code that would otherwise make an
app container image less secure. By keeping unnecessary tools separate
you can limit the attack surface of your app container image
这同样适用于同一个 Pod 中的多个容器 运行,它们可以安全地相互通信,而不会将该通信暴露给集群上的其他容器,因为它们将通信保持在本地。
请有人向我解释(或直接提供详细资源)为什么 kubernetes 使用此包装器 (pod) 来处理容器。我遇到的每个资源都只引用相同的词——“它是 k8s 中的最小单位”。我正在寻找的是从工程角度来看的原因。我确实了解它为内部容器的存储和网络提供命名空间,但最佳做法是无论如何都将单个容器保留在 pod 中。
在熟悉 k8s 之前,我已经使用了很多 docker-compose,并且很难理解围绕非常简单的实体、容器需要这个额外的层(包装器)。
做出这个决定的原因很简单,因为一个 Pod 可能包含多个容器,做不同的事情。
首先,一个pod可能有一个init-container,负责做一些启动操作,保证主容器/多个容器正常工作。我可以让一个 init-container 加载一些配置并为主应用程序做准备,或者做一些基本的操作,比如恢复备份或类似的东西。
我基本上可以在启动主应用程序之前向 exec 注入一系列操作,而无需再次构建主应用程序容器映像。
其次,即使大多数应用程序只为 Pod 使用一个容器也没有问题,但在某些情况下,同一 Pod 中的多个容器可能会有用。
一个例子可能是让主应用程序 运行,然后一个边车容器在主应用程序前面做一个代理,可能负责检查 JWT 令牌..或者另一个例子可以是从主应用程序或类似事物中提取指标的辅助应用程序。
最后,让我引用 Kubernetes 文档 (https://kubernetes.io/docs/tasks/access-application-cluster/communicate-containers-same-pod-shared-volume/)
The primary reason that Pods can have multiple containers is to support helper applications that assist a primary application. Typical examples of helper applications are data pullers, data pushers, and proxies. Helper and primary applications often need to communicate with each other. Typically this is done through a shared filesystem, as shown in this exercise, or through the loopback network interface, localhost. An example of this pattern is a web server along with a helper program that polls a Git repository for new updates.
更新
就像你说的,init container.. 或同一个 Pod 中的多个容器不是必须的,我列出的所有功能也可以通过其他方式获得,例如 en entrypoints 或两个单独的 Pods 相互通信,而不是同一个 Pod 中的两个容器。
使用这些功能有几个好处,让我再次引用 Kubernetes 文档 (https://kubernetes.io/docs/concepts/workloads/pods/init-containers/)
Because init containers have separate images from app containers, they have some advantages for start-up related code:
Init containers can contain utilities or custom code for setup that are not present in an app image. For example, there is no need to make an image FROM another image just to use a tool like sed, awk, python, or dig during setup.
The application image builder and deployer roles can work independently without the need to jointly build a single app image.
Init containers can run with a different view of the filesystem than app containers in the same Pod. Consequently, they can be given access to Secrets that app containers cannot access.
Because init containers run to completion before any app containers start, init containers offer a mechanism to block or delay app container startup until a set of preconditions are met. Once preconditions are met, all of the app containers in a Pod can start in parallel.
Init containers can securely run utilities or custom code that would otherwise make an app container image less secure. By keeping unnecessary tools separate you can limit the attack surface of your app container image
这同样适用于同一个 Pod 中的多个容器 运行,它们可以安全地相互通信,而不会将该通信暴露给集群上的其他容器,因为它们将通信保持在本地。